Login
- Table of Contents
-
- H3C S5500-SI Series Ethernet Switches Operation Manual-Release 1205-(V1.03)
- 00-1Cover
- 00-2Overview
- 01-Login Operation
- 02-Basic System Configuration and Maintenance Operation
- 03-File System Management Operation
- 04-VLAN Operation
- 05-QinQ-BPDU TUNNEL Operation
- 06-Port Correlation Configuration Operation
- 07-MAC Address Table Management Operation
- 08-MSTP Operation
- 09-IP Address and Performance Operation
- 10-IPv6 Configuration Operation
- 11-Routing Overview Operation
- 12-IPV4 Routing Operation
- 13-IPv6 Routing Operation
- 14-802.1x-HABP-MAC Authentication Operation
- 15-AAA-RADIUS-HWTACACS Operation
- 16-Multicast Protocol Operation
- 17-ARP Operation
- 18-DHCP Operation
- 19-ACL Operation
- 20-QoS Operation
- 21-Port Mirroring Operation
- 22-Cluster Operation
- 23-SNMP-RMON Operation
- 24-NTP Operation
- 25-DNS Operation
- 26-Information Center Operation
- 27-NQA Operation
- 28-SSH Terminal Service Operation
- 29-UDP Helper Operation
- 30-SSL-HTTPS Operation
- 31-PKI Operation
- 32-PoE-PoE Profile Operation
- 33-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 30-SSL-HTTPS Operation | 131 KB |
Table of Contents
1.2 Configuring an SSL Server Policy
1.2.1 Configuration Prerequisites
1.2.3 SSL Server Policy Configuration Example
1.3 Configuring an SSL Client Policy
1.3.1 Configuration Prerequisites
1.4 Displaying and Maintaining SSL
1.5 Troubleshooting SSL Configuration
2.2 Introduction to HTTPS Configuration Tasks
2.3 Associating the HTTPS Service with an SSL Server Policy
2.4 Enabling the HTTPS Service
2.5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy
2.6 Associating the HTTPS Service with an ACL
2.7 Displaying and Maintaining HTTPS
2.8 HTTPS Configuration Examples
Chapter 1 SSL Configuration
When configuring SSL, go to these sections for information you are interested in:
l Configuring an SSL Server Policy
l Configuring an SSL Client Policy
l Displaying and Maintaining SSL
l Troubleshooting SSL Configuration
1.1 SSL Overview
SSL (Secure Sockets Layer) is a security protocol providing secure connection for TCP-based application layer protocols, for example, SSL can provide secure connection for HTTP protocol. The secure connection provided by SSL can implement the following:
l Confidentiality: SSL encrypts data using symmetric encryption algorithm with the key generated during handshake phase.
l Authentication: SSL performs certificate-based authentication on both the server and the client, and the authentication on the client is optional.
l Reliability: SSL uses key-based MAC (message authentication code) to verify the integrity of messages.
SSL protocol includes two layers: SSL record protocol at the lower layer and handshake protocol, SSL password change protocol and SSL alert protocol at the upper layer.
l SSL record protocol: It fragments, compresses and computes data from the upper layer and then adds MAC to the data and encrypts the data, and in turn transmits the records to the peer end.
l SSL handshake protocol: A session is initiated between the client and the server with the handshake protocol. The session includes a group of parameters as session ID, peer certificate, cipher suite (including key exchange algorithm, data encryption algorithm and MAC algorithm), compression algorithm and main key. An SSL session can be shared by multiple connections to reduce session negotiation cost.
l SSL password change protocol: The client and the server inform each other of the password change through password change protocol. The packets will be protected and transmitted with the newly negotiated encryption suite and key pair.
l SSL alert protocol: Permits one entity to report alert message containing the alert level and description to the other.
1.2 Configuring an SSL Server Policy
SSL server policy is SSL parameters used when the server is started, which can be valid only when associated with an application layer protocol (for example, HTTP protocol).
1.2.1 Configuration Prerequisites
Before configuring the SSL server policy you should configure PKI (public key infrastructure) domain. For the details of PKI domain configuration.
1.2.2 Configuration Procedure
Follow these steps to configure an SSL server policy
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Create an SSL server policy and enter its view |
ssl server-policy policy-name |
Required |
|
Configure the PKI domain used for SSL server policy |
pki-domain domain-name |
Required No PKI domain is configured by default. |
|
Configure the cipher suite supported by the SSL server policy |
ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * |
Optional An SSL server policy supports total of six cipher suites by default. |
|
Configure handshake timeout time for the SSL server |
handshake timeout time |
Optional 3600 seconds by default. |
|
Configure close mode for SSL connection |
close-mode wait |
Optional The close mode for SSL connection is non wait by default. |
|
Configure the maximum number and timeout time of buffered sessions |
session { cachesize size | timeout time } * |
Optional The maximum number is 500 and the timeout time is 3600 seconds by default. |
|
Enable certificate-based SSL client authentication |
client-verify enable |
Optional Not enabled by default |
& Note:
It will take a long time to fully launch the GUI if the close mode for SSL connection is wait.
1.2.3 SSL Server Policy Configuration Example
I. Network requirements
l A device works as the HTTPS server.
l A host works as the client interacting with the HTTP server through SSL-based HTTP protocol.
II. Network diagram
Figure 1-1 Network diagram for SSL server policy
III. Configuration procedure
# Configure SSL server policy.
<Sysname> system
[Sysname] ssl server-policy myssl
[Sysname-ssl-server-policy-myssl] pki-domain 1
[Sysname-ssl-server-policy-myssl] client-verify enable
[Sysname-ssl-server-policy-myssl] quit
# Configure the SSL policy adopted by HTTPS service as myssl.
[Sysname] ip https ssl-server-policy myssl
# Enable HTTPS service.
[Sysname] ip https enable
1.3 Configuring an SSL Client Policy
SSL client policy is SSL parameters used by the client being connected with the server, which can be valid only when associated with an application layer protocol (for example, HTTP protocol).
1.3.1 Configuration Prerequisites
Before configuring the SSL client policy you should configure PKI domain first.
1.3.2 Configuration Procedure
Follow these steps to configure an SSL client policy:
|
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Create an SSL client policy and enter its view |
ssl client -policy policy-name |
Required |
|
Configure the PKI domain used for the SSL client policy |
pki-domain domain-name |
Required No PKI domain is configured by default. |
|
Configure the preferred encryption suite for the SSL client policy |
prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } |
Optional The preferred encryption suite is rsa_rc4_128_md5 by default. |
|
Configure the SSL protocol version adopted by the SSL client policy |
version { ssl3.0 | tls1.0 } |
Optional The SSL protocol version is TLS1.0 by default. |
& Note:
If the server needs to perform certificate-based authentication to the client, a local certificate for the SSL client must be acquired in the client’s PKI domain.
1.4 Displaying and Maintaining SSL
|
To do... |
Use the command... |
Remarks |
|
Display SSL server policy information |
display ssl server-policy { policy-name | all } |
Available in any view |
|
Display SSL client policy information |
display ssl client-policy { policy-name | all } |
1.5 Troubleshooting SSL Configuration
1.5.1 SSL Handshake Failure
I. Symptom
When the device works as the SSL server, its handshake with the SSL client fails.
II. Analysis
SSL handshake failure may result from the following:
l SSL server certificate does not exist, or the certificate cannot be trusted.
l The server is configured as that it must authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted.
l The encryption suite supported by the SSL server and client does not match.
III. Solution
1) Use the debugging ssl command to view the debugging information:
l If the SSL server certificate does not exist, apply one for it.
l If the server certificate cannot be trusted, on the SSL client install a CA server root certificate that issues the certificate to the SSL server, or enable the server to reapply a certificate from the CA server trusted by the SSL client.
l If the server is configured as that it must authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, apply and install a certificate for the client.
2) Use the display ssl server-policy command to view the encryption suite supported by the SSL server policy. If the encryption suite supported by the SSL server does not match that by the client, use the ciphersuite command to modify the encryption suite supported by the SSL server.
Chapter 2 HTTPS Configuration
2.1 HTTPS Overview
The HTTP Security (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
l Use the SSL protocol to ensure that the legal clients to access the device securely and prohibit the illegal clients;
l Encrypt the data exchanged between the HTTPS client and the device to ensure the data security and integrity, thus realizing the security management of the device;
l Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients.
& Note:
The total number of HTTP connections and HTTPS connections on a device cannot exceed ten.
2.2 Introduction to HTTPS Configuration Tasks
Table 2-1 HTTPS configuration tasks
|
Configuration task |
Remarks |
|
Required |
|
|
Required |
|
|
Associating the HTTPS Service with a Certificate Attribute Access Control Policy |
Optional |
|
Optional |
2.3 Associating the HTTPS Service with an SSL Server Policy
You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service.
Follow these steps to associate the HTTPS service with an SSL server policy:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with an SSL server policy |
ip https ssl-server-policy policy-name |
Required Not associated by default |
& Note:
l If the ip https ssl-server-policy command is executed repeatedly, the HTTPS service is only associated with the last specified SSL server policy.
l When the HTTPS service is disabled, the association between the HTTPS service and the SSL server is automatically removed. To enable it again, you need to re-associate the HTTPS service with an SSL server policy.
l When the HTTPS service is enabled, any modification of its associated SSL server policy will not take effect.
2.4 Enabling the HTTPS Service
Before configuring the HTTPS, make sure that the HTTPS server is enabled. Otherwise, other related configurations cannot take effect.
Follow these steps to enable the HTTPS service:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the HTTPS service |
ip https enable |
Required Disabled by default. |
& Note:
l After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration.
l To enable the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Since the application process takes much time, the SSL negotiation may fail and the HTTPS service cannot be started normally. Therefore, the ip https enable command must be executed for multiple times to ensure normal startup of the HTTPS service.
2.5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy
Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus to provide the devicewith enhanced security.
Follow these steps to associate the HTTPS service with a certificate attribute access control policy:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with a certificate attribute access control policy |
ip https certificate access-control-policy policy-name |
Required Not associated by default. |
& Note:
l If the ip https certificate access-control-policy command is executed repeatedly, the HTTPS server is only associated with the last specified certificate attribute access control policy.
l If the HTTPS service is associated with a certificate attribute access control policy, the client-verify enable command must be configured in the SSL server policy. Otherwise, the client cannot log onto the device. For the configuration of an SSL server policy, refer to PKI Configuration .
2.6 Associating the HTTPS Service with an ACL
Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.
Follow these steps to associate the HTTPS service with an ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with an ACL |
ip https acl acl-number |
Required Not associated by default. |
& Note:
If the ip https acl command is executed repeatedly, the HTTPS servcie is only associated with the last specified ACL.
2.7 Displaying and Maintaining HTTPS
|
To do… |
Use the command… |
Remarks |
|
Display information about HTTPS |
display ip https |
Available in any view |
2.8 HTTPS Configuration Examples
& Note:
l When a server running Windows operating system is used as the CA, the Simple Certificate Enrollment Protocol plugin is required. In this case, you need to specify the entity to apply for the certificate from RA by using the certificate request from ra command when configuring the PKI domain.
l The Simple Certificate Enrollment Protocol plugin is not needed when RSA Keon software is used. In this case, you need to specify the entity to apply for the certificate from CA by using the certificate request from ca command when configuring the PKI domain.
l This section assumes Windows operating system is used on the CA server.
I. Network requirements
l Host acts as the HTTPS client and Device acts as HTTPS server.
l Host accesses Device through Web to control Device.
l CA (Certificate Authority) issues certificate to Device.
II. Network diagram
Figure 2-1 Network diagram for HTTPS configuration
III. Configuration procedure
Perform the following configurations on Device:
1) Apply for a certificate for Device.
# Configure a PKI entity.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name http-server1
[Sysname-pki-entity-en] fqdn ssl.security.com
[Sysname-pki-entity-en] quit
# Configure a PKI domain.
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier ca1
[Sysname-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Sysname-pki-domain-1] certificate request from ra
[Sysname-pki-domain-1] certificate request entity en
[Sysname-pki-domain-1] quit
# Generate a key pair locally by using the RSA algorithm.
[Sysname] rsa local-key-pair create
# Obtain a server certificate from CA.
[Sysname] pki retrieval-certificate ca domain 1
# Request a local certificate.
[Sysname] pki request-certificate domain 1
2) Configure an SSL server policy associated with the HTTPS service.
# Create an SSL server policy named “myssl”.
[Sysname] ssl server-policy myssl
# Configure the name of the PKI domain at the SSL server end as 1.
[Sysname-ssl-server-policy-myssl] pki-domain 1
# Configure that the server requires client authentication.
[Sysname-ssl-server-policy-myssl] client-verify enable
[Sysname-ssl-server-policy-myssl] quit
3) Reference the SSL server policy.
[Sysname] ip https ssl-server-policy myssl
4) Enable the HTTPS service.
[Sysname] ip https enable
5) Verify the configuration
Open the IE explorer on Host, and enter https://10.1.1.1. You can log on to Device and control it.
& Note:
l For details of PKI commands, refer to PKI Commands .
l For details of the rsa local-key-pair create command, refer to SSH Ternimal Service Commands.
